[PATCH] staging: dgap: fix overflows and format strings

From: Kees Cook
Date: Wed Sep 11 2013 - 00:44:17 EST

Next message: Steven Rostedt: "[036/251] tracing: Fix irqs-off tag display in syscall tracing"
Previous message: Steven Rostedt: "[016/251] md/raid10: fix two bugs affecting RAID10 reshape."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The boot message buffer could potentially overflow the stack and the
heap. Additionally make sure format strings could not leak into printk()
calls.

Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
---
drivers/staging/dgap/dgap_driver.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/drivers/staging/dgap/dgap_driver.c b/drivers/staging/dgap/dgap_driver.c
index 724a685..40ef785 100644
--- a/drivers/staging/dgap/dgap_driver.c
+++ b/drivers/staging/dgap/dgap_driver.c
@@ -474,7 +474,7 @@ static void dgap_cleanup_board(struct board_t *brd)

DGAP_LOCK(dgap_global_lock, flags);
brd->msgbuf = NULL;
- printk(brd->msgbuf_head);
+ printk("%s", brd->msgbuf_head);
kfree(brd->msgbuf_head);
brd->msgbuf_head = NULL;
DGAP_UNLOCK(dgap_global_lock, flags);
@@ -628,7 +628,7 @@ static int dgap_found_board(struct pci_dev *pdev, int id)
DPR_INIT(("dgap_scan(%d) - printing out the msgbuf\n", i));
DGAP_LOCK(dgap_global_lock, flags);
brd->msgbuf = NULL;
- printk(brd->msgbuf_head);
+ printk("%s", brd->msgbuf_head);
kfree(brd->msgbuf_head);
brd->msgbuf_head = NULL;
DGAP_UNLOCK(dgap_global_lock, flags);
@@ -955,25 +955,28 @@ static void dgap_mbuf(struct board_t *brd, const char *fmt, ...) {
char buf[1024];
int i;
unsigned long flags;
+ size_t length;

DGAP_LOCK(dgap_global_lock, flags);

/* Format buf using fmt and arguments contained in ap. */
va_start(ap, fmt);
- i = vsprintf(buf, fmt, ap);
+ i = vsnprintf(buf, sizeof(buf), fmt, ap);
va_end(ap);

DPR((buf));

if (!brd || !brd->msgbuf) {
- printk(buf);
+ printk("%s", buf);
DGAP_UNLOCK(dgap_global_lock, flags);
return;
}

- memcpy(brd->msgbuf, buf, strlen(buf));
- brd->msgbuf += strlen(buf);
- *brd->msgbuf = 0;
+ length = strlen(buf) + 1;
+ if (brd->msgbuf - brd->msgbuf_head < length)
+ length = brd->msgbuf - brd->msgbuf_head;
+ memcpy(brd->msgbuf, buf, length);
+ brd->msgbuf += length;

DGAP_UNLOCK(dgap_global_lock, flags);
}
--
1.7.9.5

--
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Steven Rostedt: "[036/251] tracing: Fix irqs-off tag display in syscall tracing"
Previous message: Steven Rostedt: "[016/251] md/raid10: fix two bugs affecting RAID10 reshape."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]